The information was supposedly jacked from customers who signed up for their rewards program, which allows you to order food online. The loyalty program is called 'MyPanera' and to sign up, you must give your name, email address, mailing address and birthday. You also use the program to order food on the web, which means you must give your credit card number.

This apparently all started in August of 2017 when the issue was pointed out to the company by a security researcher. He says the company blew him off and although they said they were working on the problem, nothing ever came of it and the issue continued for months.

This researcher notified Krebs On Security, who says millions of customers may have had their records leaked because the company initially blew off the claim until this past Monday, April 2nd.